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Memorandum of Understanding between the Information 
Commissioner and British Board of Film Classification 


Introduction 


I. This Memorandum of Understanding (MoU) establishes a framework 
for cooperation and information sharing between the Information 
Commissioner (“the Commissioner") and the British Board of Film 
Classification (“the BBFC”), collectively referred to as "the 
parties" throughout this document. In particular, it sets out the 
broad principles of collaboration and the legal framework governing 
the sharing of relevant information and intelligence between the 
parties. The shared aims of this MoU are to enable closer working 
between the parties, including the exchange of appropriate 
information, so as to assist them in discharging their regulatory 
functions. 


2. This MoU is a statement of intent that does not give rise to legally 
binding obligations on the part of either the Commissioner or the 
BBFC. The parties have determined that they do not exchange 
sufficient quantities of personal data to warrant entering into a 
separate data sharing agreement, but this will be kept under 
review. 


The role and function of the Information Commissioner 


3; The Commissioner is a corporation sole appointed by Her Majesty 
the Queen under the General Data Protection Regulation and the 
Data Protection Act 2018 to act as the UK’s independent regulator 
to uphold information rights in the public interest, promote 
openness by public bodies and data privacy for individuals. 


4. The Commissioner is empowered to take a range of regulatory 
action for breaches of the following legislation: 


e Data Protection Act 2018 (DPA); 


e General Data Protection Regulation (GDPR); 
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e Privacy and Electronic Communications (EC Directive) 
Regulations 2003 (PECR); 


e Freedom of Information Act 2000 (FOIA); 
e Environmental Information Regulations 2004 (EIR); 


e Environmental Protection Public Sector Information 
Regulations 2009 (INSPIRE Regulations); 


e Investigatory Powers Act 2016; 
e Re-use of Public Sector Information Regulations 2015; 
e Enterprise Act 2002; 


e Security of Network and Information Systems Directive (NIS 
Directive); and 


e Electronic Identification, Authentication and Trust Services 
Regulation (eIDAS). 


5a Article 57 of the GDPR and Section 115(2)(a) of the DPA 2018 place 
a broad range of statutory duties on the Commissioner, including 
monitoring and enforcement of the GDPR, promotion of good 
practice and adherence to the data protection obligations by those 
who process personal data. These duties sit alongside those relating 
to the other enforcement regimes outlined in paragraph 4 above. 


6. The Commissioner's regulatory and enforcement powers include: 


e conducting assessments of compliance with the DPA, GDPR, 
PECR, eIDAS, the NIS Directive, FOIA and EIR; 


e issuing information notices requiring individuals, controllers or 
processors to provide information in relation to an 
investigation; 


e issuing enforcement notices, warnings, reprimands, practice 
recommendations and other orders requiring specific actions 
by an individual or organisation to resolve breaches (including 
potential breaches) of data protection legislation and other 
information rights obligations; 


e administering fines by way of penalty notices in the 
circumstances set out in section 152 of the DPA; 
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e administering fixed penalties for failing to meet specific 
obligations (such as failing to pay the relevant fee to the 
Commissioner); 


e issuing decision notices detailing the outcome of an 
investigation under FOIA or EIR; 


e certifying contempt of court should an authority fail to comply 
with an information notice, decision notice or enforcement 
notice under FOIA or EIR; and 


e prosecuting criminal offences before the Courts. 


Regulation 31 of PECR, as amended by the Privacy and Electronic 
Communications (EC Directive) (Amendment) Regulations 2011, 
also provides the Commissioner with the power to serve 
enforcement notices and issue monetary penalty notices as above 
to organisations who breach PECR. This includes, but is not limited 
to, breaches in the form of unsolicited marketing which falls within 
the ambit of PECR, including automated telephone calls made 
without consent, live telephone calls which have not been screened 
against the Telephone Preference Service, and unsolicited electronic 
messages (Regulations 19, 21 and 22 of PECR respectively). 


Functions and powers of the British Board of Film Classification 


8. 


10. 


tt, 


The BBFC is an independent, not-for-profit company designated by 
the Secretary of State to be the age-verification Regulator under 
Part 3 of the Digital Economy Act 2017 (the Act) with responsibility 
for regulating the requirement in the Act that online pornographic 
material made available to persons in the UK on a commercial basis 
should not normally be accessible by persons under the age of 18. 


The BBFC is responsible pursuant to the Act for assessing and 
determining whether the arrangements for making pornographic 
material available online comply with the requirements of section 
14(1) of the Act. 


The BBFC is also responsible pursuant to the Act for assessing and 
determining whether a person is making extreme pornographic 
material available on the internet to persons in the UK. 


The BBFC is responsible for identifying and notifying non-compliant 
providers of online commercial pornography of any contravention of 
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12. 


the Act, and notifying ancillary service providers and payment 
service providers of the same. The BBFC may also direct internet 
service providers to block access to the material being made 
available in contravention of the Act by non-compliant providers of 
online commercial pornography. 


Where the BBFC is satisfied that the requirements of section 14(1) 
of the Act have been breached, an enforcement notice may be 
served on the non-compliant person requiring them to end the 
contravention of section 14(1). A person on whom an enforcement 
notice has been served may appeal to the Independent Appeals 
Panel. 


Purpose of information sharing 


13. 


14. 


The broad purpose of the MoU is to enable both the Commissioner 
and the BBFC to share relevant information which enhances their 
ability to exercise their respective functions. 


This MoU should not be interpreted as imposing a requirement on 
either party to disclose information in circumstances where doing so 
would breach their statutory responsibilities. In particular, each 
party must ensure that any disclosure of personal data pursuant to 
these arrangements fully complies with both the GDPR and the DPA 
2018. The MoU sets out the potential legal basis for information 
sharing, but it is for each party to determine for themselves that 
any proposed disclosure is compliant with the law. 


Principles of cooperation and sharing 


15; 


16. 


Chapter 3.6 of the Secretary of State Guidance to the Regulator 
(the BBFC) states: 


The role of the Regulator should be to focus on the ability of 
arrangements to verify whether someone is over 18. The Regulator 
should not duplicate the role of the Information Commissioner's 
Office (ICO), the UK’s independent body set up to uphold 
information rights. 


The requirement for age-verification services and online 
pornography providers to comply with data protection legislation 
and information about the ICO’s regulatory role are set out in 
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18. 


19. 


20. 


Chapter 4 of the Guidance on Age-verification Arrangements 
published by the BBFC. 


As set out in Chapter 3 of the Guidance on Age-verification 
Arrangements, subject to any legal restrictions on the disclosure of 
information (whether imposed by statute or otherwise) and at its 
discretion, the BBFC agrees that it should inform the Commissioner 
where concerns arise during its assessment of the Age-verification 
effectiveness that the arrangement does not comply with data 
protection legislation. The BBFC will inform any online commercial 
pornography provider that it has raised concerns with the 
Commissioner. The Commissioner may investigate any such 
concerns in line with her established investigative procedures. 


As set out at 3.11 of the Guidance on Age-verification 
Arrangements, the BBFC is developing a voluntary, non-statutory 
certification scheme for age-verification solutions in consultation 
with the ICO. The BBFC agrees that it will inform the Commissioner 
of any non-certified age-verification solutions which it finds. Once 
the BBFC informs the Commissioner of a non-certified age- 
verification solution, the Commissioner will then assess whether 
further investigation is required and will take action accordingly. As 
set out in the Guidance on Age-verification Arrangements, the BBFC 
will assess age-verification arrangements in order to ensure that 
online commercial pornographic services using those arrangements 
meet the requirement under section 14(1) of the Act. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at her discretion, 
the Commissioner agrees that she should inform the BBFC where 
concerns arise, during her regulation of the legislation set out in 
paragraph 4, to any potential breaches, or information relevant to 
the BBFC’s duties set out above. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion 
both parties will: 


e Communicate regularly to discuss matters of mutual interest 
(this may involve participating in multi-agency groups to 
address common issues and threats). 
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e Consult one another on any issues which might have 
significant implications for the other organisation. 


e Notify one another of the outcome of a case before it is made 
public in those cases in which the other body has an interest. 


e Share in confidence internal guidance and draft external 
guidance relevant to the functions of both bodies. 


21. Both parties will comply with the general laws they are subject to, 
including, but not limited to, local data protection laws. 


Legal basis for sharing information 
Information shared by the BBFC with the Commissioner 


22. The Commissioner's statutory function relates to the legislation set 
out at paragraph 4, and this MoU governs information shared by the 
BBFC to assist the Commissioner to meet those responsibilities. To 
the extent that any such shared information is to comprise personal 
data, as defined under the GDPR and DPA 2018, the BBFC is a Data 
Controller so must ensure that it has legal basis to share it and that 
doing so would otherwise be compliant with the data protection 
principles. 


23. Section 131 of the Data Protection Act 2018 effectively creates a 
legal basis for the BBFC to share information with the 
Commissioner. Under this particular provision, the BBFC is not 
prohibited or restricted from disclosing information to the 
Commissioner by any other enactment or rule of law provided it is 
"information necessary for the discharge of the Commissioner's 
functions”. 


Information shared by the Commissioner with the BBFC 


24. The Commissioner, during the course of her activities, will receive 
personal data from a range of sources. She will process all such 
personal data in accordance with the principles of the GDPR, the 
DPA 2018 and all other applicable legislation. The Commissioner 
may identify that personal data she holds ought to be shared with 
the BBFC as it would assist them in performing their functions and 
responsibilities. 
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26. 


27. 


28. 


Under Section 132(1) of the DPA 2018, the Commissioner is 
permitted to share information with the BBFC where she has lawful 
authority to do so. In particular, it will be lawful in circumstances: 


e where the sharing is necessary for the purposes of the 
Commissioner discharging her functions, 

e where the sharing is for the purposes of criminal or civil 
proceedings, however arising, or 

e where the sharing is necessary in the public interest, taking 
into account the rights, freedoms and legitimate interests of 
any person ( as set out in section 132(2) of the DPA) 


If information to be disclosed by the Commissioner was received by 
her in the course of discharging her functions as a designated 
enforcer under the Enterprise Act 2002, any disclosure shall be 
made in accordance with the restrictions set out in Part 9 of that 
Act. 


Where information is to be disclosed by either party for law 
enforcement purposes under section 35(4) or s5(5) of the DPA 2018 
then they will only do so in accordance with an appropriate policy 
document as outlined by section 42 of the DPA. 


Where a request for information is received by either party under 
data protection laws or FOIA, the recipient of the request will seek 
the views of the other party as described in the FOIA section 45 
Code of Practice, where the information being sought under the 
request includes information obtained from, or shared by, the other 
party. However the decision to disclose or withhold the information 
(and therefore any liability arising out of that decision) remains with 
the party in receipt of the request as Data Controller in respect of 
that data. 


Method of exchange 


29. 


Appropriate security measures shall be agreed to protect 
information transfers in accordance with the sensitivity of the 
information and any classification that is applied by the sender. 
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Duration and review of the MoU 


30. The Commissioner and the BBFC will monitor the operation of this 
MoU and will review it initially after one year from the date of this 
document and subsequently from time to time as necessary. 


31. Any minor changes to this memorandum identified between reviews 
may be agreed in writing between the parties. 


32. Any issues arising in relation to this memorandum will be notified to 
the point of contact for each organisation. 


Key contacts 
33. The parties have both identified a key person who is responsible for 


managing this MoU: 
34. 


Information Commissioner’s | British Board of Film 
Office Classification 


Adam Stevens - Head of Murray Perkins — Head of DEA 
Intelligence Email: 


Email: ih@ico.org.uk Telephone: 
Telephone: 0330 414 6785 Address: 3 Soho Square, 


Address: Wycliffe House, Water | London, WiD 3HD 
Lane, Wilmslow, SK9 5AF 


35. Those individuals will maintain an open dialogue between each 
other in order to ensure that the MoU remains effective and fit for 
purpose. They will also seek to identify any difficulties in the 
working relationship, and proactively seek to minimise the same. 


Signatories 


Elizabeth Denham David Austin 
Information Commissioner Chief Executive 


Date: 8 October 2018 Date: X Dolar fals 


